Hacking Contest Fells iPhone, BlackBerry

Apple's iPhone 4 and RIM's BlackBerry Torch 9800 both succumbed to hackers in early rounds at Pwn2Own, but two other smartphones running Android and Windows Phone 7 were unchallenged, the contest's sponsor said.

Charlie Miller became the first "four-peat" at the hacking competition Pwn2Own when he teamed with Dion Blazakis to take down the iPhone. Both Miller and Blazakis work for the Baltimore-based consulting firm Independent Security Evaluators (ISE).

Miller has walked off with winnings from Pwn2Own four years running -- 2008 through 2011 -- twice as many times as anyone else.

"Every other year I've had an exploit ready to go for months," said Miller in an interview after the win. "But this was a different experience, working under the time pressure because we were working on [the iPhone] exploit the night before."

Miller credited his partner for much of the work. "Dion's a really good researcher in his own right," said Miller.

Miller and Blazakis worked on their iPhone exploit for months, Miller said. "This one was pretty hard. Different bugs take different exploits, and this one was hard to exploit."

Pwn2Own winners are forbidden from discussing technical details of the vulnerabilities they exploit, or to release the attack code they've used. Instead, they turn over their findings and code to HP TippingPoint, the contest sponsor. TippingPoint in turn reports the vulnerabilities to vendors, who have six months to patch the bugs before TippingPoint publicly releases any information.

On the BlackBerry, a multi-national team composed of Vincenzo Iozzo, Ralf-Philipp Weinmann and a third researcher from the Netherlands, matched Miller and Blazakis by hacking the Torch. Iozzo and Weinmann were old hands at Pwn2Own, having partnered in 2010 to successfully break into an iPhone 3GS at that year's contest.

Iozzo is an engineer at Zynamics GmbH, the German reverse engineering tool maker headed by noted researcher Thomas Dullien, better known as Halvar Flake. Zynamics was acquired by Google earlier this month for an undisclosed sum.

Weinmann, meanwhile, is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.

Both teams were busy tweaking their exploits before today's round, said Peter Vreugdenhil, a former Pwn2Own winner who now works for TippingPoint, and served as a contest judge this year.

"Both were actually tweaking their exploits at the [CanSecWest] conference," said Vreugdenhil, referring to the Vancouver, British Columbia security conference where Pwn2Own takes place.

The iPhone and BlackBerry Torch hacks, however, were over in seconds. "They hooked up their computers to the phones, and that was it," said Vreugdenhil.

The teams each will receive a check for $15,000 from TippingPoint, as well as the smartphones they exploited, in a ceremony Friday at CanSecWest.

However, other Pwn2Own targets, including two smartphones and one browser, came out unscathed because no one stepped up to take them on.

According to Vreugdenhil, the contestants slated to tackle the Samsung Nexus S (running Android) and the Dell Venue (running Windows Phone 7) had canceled earlier, not shown up or had withdrawn for other reasons.

Jon Oberheide, co-founder and CTO of Duo Security, a developer of two-factor authentication software, had said earlier this week that he wouldn't make Pwn2Own because he had told Google about the bug he was going to use to hack. Google patched the vulnerability more than a week ago.

Oberheide had drawn the first slot in the Android part of the smartphone hacking competition.

George Hotz, also known as "geohot," reportedly withdrew last week to focus on his legal battle with Sony. Hotz, a well-known iPhone hacker, made news last month when he and others were sued by Sony after he showed how to jailbreak a Sony PlayStation 3 game console. He had been given first crack at Windows Phone 7.

Also unchallenged today was Mozilla's Firefox, said Vreugdenhil. Sam Dash, who had the pole position, withdrew because he couldn't get his exploit to run reliably.

Pwn2Own has one more day to run, but Vreugdenhil thought it unlikely anyone else would step forward to attempt exploits of the still-standing browsers and smartphones. No one, for instance, has demonstrated an exploit that breaks a smartphone's "baseband" processor, the component used to send and receive radio signals.

In January, Weinmann -- one of the three in the team that hacked the BlackBerry Torch today -- showed an exploit of the baseband processor, which let him turn a smartphone into a remote listening device .

Pwn2Own went to the trouble of building an isolation box that included a fake cellular base station so researchers could demo baseband exploits. But the box has gone unused.

"There's a tiny chance that someone will try tomorrow," Vreugdenhil said today. "But it's uncertain. I wouldn't even give it a 50-50 chance."

Even with some targets surviving unopposed by researchers, Vreugdenhil called Pwn2Own 2011 a success. "It's been a great two days," he said.

Miller agreed. "The contest is a good idea, and I wish there were more of them," said Miller. "They motivate guys like me, who are hard to motivate. And in the end it's a win-win for everyone."